I would like to set up an entry in my sudoers file to allow a user to run a command without a password. I would also like to pass options to that command. What I have looks like this:
myuser (ALL)=(otheruser) NOPASSWD: /bin/myprog
When invoking it I want to do something like this:
myuser@myhost> sudo -u otheruser /bin/myprog -option value -option2 value2
Is there anyway I can enclose those options in quotes and still have sudo run the program?
The options are built dynamically and I’m wondering if I leave things outside of quotes that there is a potential security risk that users will be able to append their own commands after /bin/myprog.
I’m 99% sure that what you’re doing should be fine. A subsequent command
on the same line (after a semicolon for example) should not run in a
privileged mode at all. Test to be sure, but that is my understanding of
sudo.
Also, you need to make sure your program (myprog) does not do anything
stupid and run code given to it unless you mean it to do that. Nothing
you do on the command line will do that for you.
Good luck.
pwright2 wrote:
> Hello,
>
> I would like to set up an entry in my sudoers file to allow a user to
> run a command without a password. I would also like to pass options to
> that command. What I have looks like this:
>
> myuser (ALL)=(otheruser) NOPASSWD: /bin/myprog
>
> When invoking it I want to do something like this:
>
> myuser@myhost> sudo -u otheruser /bin/myprog -option value -option2
> value2
>
> Is there anyway I can enclose those options in quotes and still have
> sudo run the program?
>
> The options are built dynamically and I’m wondering if I leave things
> outside of quotes that there is a potential security risk that users
> will be able to append their own commands after /bin/myprog.
>
> Any thoughts?
>
> Thanks.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
I did some testing and the options work great. This will be a command invoked from a web application (running under wwwrun).
For this to work, wwwrun will need to sudo over to another account and run a reporting tool with command options passed in via the application. Some of those are text box inputs (where a user may be able to put a semi-colon or whatever). This would allow the sudo command to run under the report account, and then come back and give control to wwwrun (I think)
For example (php code):
$arg1 = $_POST"argument1"];
$cmd = “/usr/bin/sudo /bin/myprog -arg1 $arg1”;
exec($cmd, $output, $rc);
If user posts:
$arg1 as test; rm -rf /var/lib/wwwrun/*
Then I think this could have potential risks.
I was thinking 2 things:
wwwrun, to my understanding does not own any “important” files on the filesystem as a default (I checked the /var/lib/wwwrun directory and it is empty). I wonder if this user owns any files by default
I could always enclose the arguments passed via $_POST in quotation marks:
$cmd = "/usr/bin/sudo /bin/myprog -arg1 “$arg1"”;
Any suggestions on which would be better? Maybe a comination of both? Prevent against the possibility of giving command controls to wwwrun, but feel “safer” knowing that this user cannot really cause harm on the filesystem (I suppose it is always possible to kill the web server with some kill commands…)
First, be aware that what you’re doing is risky and you should probably be
reading everything in the world on SQL Injection and other types of
injection as that is what you are up against. If you put double-quotes
around something what prevents the attacker from putting a quote in there
as well?
What you need to be doing is looking at PHP’s commands for escaping data
for use like this.
After that is done make sure you VERY thoroughly test the functionality.
Quotes should be escaped by this so that may help. If you mess this up or
if your command via sudo is written poorly you will lose your system.
Good luck.
pwright2 wrote:
> I did some testing and the options work great. This will be a command
> invoked from a web application (running under wwwrun).
>
> For this to work, wwwrun will need to sudo over to another account and
> run a reporting tool with command options passed in via the application.
> Some of those are text box inputs (where a user may be able to put a
> semi-colon or whatever). This would allow the sudo command to run under
> the report account, and then come back and give control to wwwrun (I
> think)
>
> For example (php code):
> $arg1 = $_POST"argument1"];
> $cmd = “/usr/bin/sudo /bin/myprog -arg1 $arg1”;
> exec($cmd, $output, $rc);
>
> If user posts:
> $arg1 as test; rm -rf /var/lib/wwwrun/*
>
> Then I think this could have potential risks.
>
> I was thinking 2 things:
> 1) wwwrun, to my understanding does not own any “important” files on
> the filesystem as a default (I checked the /var/lib/wwwrun directory and
> it is empty). I wonder if this user owns any files by default
> 2) I could always enclose the arguments passed via $_POST in quotation
> marks:
>
> $cmd = "/usr/bin/sudo /bin/myprog -arg1 “$arg1"”;
>
> Any suggestions on which would be better? Maybe a comination of both?
> Prevent against the possibility of giving command controls to wwwrun,
> but feel “safer” knowing that this user cannot really cause harm on the
> filesystem (I suppose it is always possible to kill the web server with
> some kill commands…)
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/